3. Adding A Remote Server To Icinga

Monitoring localhost is nice, but of course, it would be even better if we could monitor all of our servers in one location. This is possible with Icinga, and this chapter describes how we can add our second Ubuntu 11.10 server to the setup.

To do this, we need to install the Nagios NRPE (Nagios Remote Plugin Executor) server on the server to be monitored, and the Nagios NRPE plugin on Icinga server (monitoring server). The NRPE server will listen on server to be monitored; and Icinga server will connect to it using the NRPE plugin and pass commands to it that the NRPE server will execute on the monitored server; finally, it will pass back the results to Icinga server.

First we install the nagios-nrpe-plugin package on Icinga server:

Icinga server

apt-get install nagios-nrpe-plugin

Nagios web administration password:<– nagiosadmin_password
Password confirmation:<– nagiosadmin_password

Monitored server

Now we go to monitored server:

Install the nagios-nrpe-server package :

apt-get install nagios-nrpe-server

Now open /etc/nagios/nrpe.cfg :

vi /etc/nagios/nrpe.cfg

We must configure the NRPE server to allow Icinga server to connect, therefore we add IP-ADDRESS Icinga server to the allowed_hosts line:

[...]
# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
# that are allowed to talk to the NRPE daemon.
#
# Note: The daemon only does rudimentary checking of the client's IP
# address.  I would highly recommend adding entries in your /etc/hosts.allow
# file to allow only the specified host to connect to the port
# you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

allowed_hosts=127.0.0.1,192.168.0.100
[...]
</file>

(If you don't do this, you will get the following error when you run

/usr/lib/nagios/plugins/check_nrpe -H 192.168.0.101 on Icinga server:

root@Icinga_server:/etc/nagios-plugins/config# /usr/lib/nagios/plugins/check_nrpe -H IP_ADDRESS_SERVER...........here it is IP address of monitored server\

CHECK_NRPE: Error - Could not complete SSL handshake.\

root@Icinga_server:/etc/nagios-plugins/config#  )

Also, Icinga server needs to be allowed to pass command line arguments to the NRPE server, so still in the same file we set 
dont_blame_nrpe
to 
1
:

<code>[...]
# COMMAND ARGUMENT PROCESSING
# This option determines whether or not the NRPE daemon will allow clients
# to specify arguments to commands that are executed.  This option only works
# if the daemon was configured with the --enable-command-args configure script
# option.
#
#<nowiki> *</nowiki><nowiki>*</nowiki><nowiki>*</nowiki> ENABLING THIS OPTION IS A SECURITY RISK!<nowiki> *</nowiki><nowiki>*</nowiki><nowiki>*</nowiki>
# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
#
# Values: 0=do not allow arguments, 1=allow command arguments

dont_blame_nrpe=1
[...]
</file>

(If you don't do this, you will see the error

CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.

for lots of remote service checks in the Icinga web interface, and in 
/var/log/syslog
on monitored server you will see these errors:

Aug 23 14:20:20 monitored_server nrpe[11496]: Error: Request contained command arguments, but argument option is not enabled!\

Aug 23 14:20:20 monitored_server nrpe[11496]: Client request was invalid, bailing out...

)

Finally we must add command definitions for each service check we want to run on monitored server and that is not already defined. I want to run the the 
check_procs
, 
check_all_disks
, and 
check_mysql_cmdlinecred
checks on monitored server; these are not defined in 
/etc/nagios/nrpe.cfg
, so I add them now (I also want to run the 
check_users
and 
check_load
checks, but these are already defined):

<code>[...]
command[check_procs]=/usr/lib/nagios/plugins/check_procs -w 250 -c 400
command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w '20%' -c '10%' -e
command[check_mysql_cmdlinecred]=/usr/lib/nagios/plugins/check_mysql -H localhost -u 'nagios' -p 'howtoforge'
[...]

(If you don't do this, you will get errors like

NRPE: Command 'check_all_disks' not defined
NRPE: Command 'check_mysql_cmdlinecred' not defined
NRPE: Command 'check_procs' not defined

in the Icinga web interface.)

As you see I have hardcoded the command line arguments because using variables like command[check_procs]=/usr/lib/nagios/plugins/check_procs -w

$ARG1$

-c

$ARG2$ did not work for me. But still, when we configure the service checks for monitored server on Icinga server, we will have to pass command line arguments to these checks; monitored server will ignore these because I have hardcoded the comand line arguments into /etc/nagios/nrpe.cfg , but if you leave them out, you will get errors like /usr/lib/nagios/plugins/check_nrpe: option requires an argument – 'a' in the Icinga web interface.

Now save the file and restart the NRPE server:

/etc/init.d/nagios-nrpe-server restart

Now check if the NRPE server is listening:

Icinga server

netstat -tap | grep nrpe

root@monitored_server:~# netstat -tap | grep nrpe
tcp        0      0 *:nrpe                  *:*                     LISTEN       23668/nrpe
root@monitored_serv:~#

Now go back to Icinga server and configure to check if it can connect to the NRPE server on monitored server:

/usr/lib/nagios/plugins/check_nrpe -H IP_ADDRESS  ;this time IP address of monitored server

output should be as follows in case of success:

root@Icinga_server:~# /usr/lib/nagios/plugins/check_nrpe -H IP_ADDRESS   ;IP address of monitored server
NRPE v2.12
root@Icinga_server:~#

Monitored server

We want to check MySQL on monitored server; because we use the NRPE daemon, we can run the check locallyon monitored server, i.e., we don't have to open MySQL to the outside to allow Icinga server to run the check. Therefore I create the MySQL user nagios for localhost and localhost.localdomain instead of for Ip addreress of Icinga sever and server1.example.com :

mysql -u root -p

GRANT USAGE ON *.* TO nagios@localhost IDENTIFIED BY 'howtoforge';
GRANT USAGE ON *.* TO nagios@localhost.localdomain IDENTIFIED BY 'howtoforge'; FLUSH PRIVILEGES;
quit;

Now we go back to Icinga server…

Icinga server

.. and create the Icinga configuration for monitored_server:

vi /etc/icinga/objects/server2_icinga.cfg
use                             generic-service         ; Name of service template to use
       host_name                       server2.example.com
       service_description             Disk Space
       check_command                   check_nrpe!check_all_disks!20%!10%
}
define service{
       use                             generic-service
       host_name                       monitored_server.example.com ; OR IP_ADDRESS
       service_description             Current Users
       check_command                   check_nrpe!check_users!20!50
}
define service{
       use                             generic-service
       host_name                       monitored_server.example.com ; OR IP_ADDRESS
       service_description             Total Processes
       check_command                   check_nrpe!check_procs!250!400
}
define service{
        use                             generic-service         ; Name of service template to use
       host_name                       monitored_server.example.com ; OR IP_ADDRESS
        service_description             Current Load
        check_command                   check_nrpe!check_load!5.0!4.0!3.0!10.0!6.0!4.0
}
define service{
       use                             generic-service
       host_name                       monitored_server.example.com ; OR IP_ADDRESS
       service_description             MySQL
       check_command                   check_nrpe!check_mysql_cmdlinecred!nagios!howtoforge
}
define service{
       use                             generic-service
       host_name                       monitored_server.example.com ; OR IP_ADDRESS
       service_description             SMTP
       check_command                   check_smtp
}
define service{
       use                             generic-service
       host_name                       monitored_server.example.com ; OR IP_ADDRESS
       service_description             POP3
       check_command                   check_pop
}
define service{
       use                             generic-service
       host_name                       monitored_server.example.com ; OR IP_ADDRESS
       service_description             IMAP
       check_command                   check_imap
}

(As I've mentioned before, although I have hardcoded the command line arguments for some commands into /etc/nagios/nrpe.cfg on monitored_server, we still need to add command line arguments to certain these checks here.)

As you see, I use check_nrpe for some checks and pass the actual check (like check_all_disks ) as a command line argument to check_nrpe . These are the checks that will be executed locally by the NRPE server on monitored_server

. check_nrpe is not needed for all checks. Checks that test a connection from the outside like check_ping or check_smtp can be run from server1 .

To check the SSH and HTTP services on monitored_server

, we can EITHERadd the following stanzas to /etc/icinga/objects/server2_icinga.cfg …

[...]
define service {
   use                             generic-service
       host_name                       monitored_server.example.com ; OR IP_ADDRESS
        service_description             SSH
        check_command                   check_ssh
}
define service {
        use                             generic-service
       host_name                       monitored_server.example.com ; OR IP_ADDRESS
        service_description             HTTP
        check_command                   check_http
}

… ORwe add

monitored_server .example.com to the http-servers and ssh-servers hostgroups in /etc/icinga/objects/hostgroups_icinga.cfg :

vi /etc/icinga/objects/hostgroups_icinga.cfg
# Some generic hostgroup definitions

# A simple wildcard hostgroup
define hostgroup {
   hostgroup_name  all
                alias           All Servers
                members<nowiki>         *</nowiki>
        }

# A list of your Debian GNU/Linux servers
define hostgroup {
        hostgroup_name  debian-servers
                alias           Debian GNU/Linux Servers
                members         localhost,monitored_server.example.com
        }

# A list of your web servers
define hostgroup {
        hostgroup_name  http-servers
                alias           HTTP servers
                members         localhost,monitored_server.example.com
        }

# A list of your ssh-accessible servers
define hostgroup {
        hostgroup_name  ssh-servers
                alias           SSH servers
                members         localhost,monitored_server.example.com
        }

Restart Icinga:

/etc/init.d/icinga restart

Afterwards you should find server2 in the Icinga web interface: